Hi, On Sat, Mar 29, 2025 at 07:14:16AM +0900, Michael Paquier wrote: > On Fri, Mar 28, 2025 at 09:00:00PM +0200, Alexander Lakhin wrote: > > Please try the following query: > > BEGIN; > > SET LOCAL stats_fetch_consistency = snapshot; > > SELECT * FROM pg_stat_get_backend_wal(pg_backend_pid());
Thanks for the report! I'm able to reproduce it on my side. The issue can also be triggered with pg_stat_get_backend_io(). The issue is that in pgstat_fetch_stat_backend_by_pid() (and with stats_fetch_consistency set to snapshot) a call to pgstat_clear_backend_activity_snapshot() is done: #0 __memset_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:250 #1 0x0000000001833bf2 in wipe_mem (ptr=0x632000018800, size=80800) at ../../../../src/include/utils/memdebug.h:42 #2 0x0000000001834c51 in AllocSetReset (context=0x619000003c80) at aset.c:586 #3 0x000000000184f32d in MemoryContextResetOnly (context=0x619000003c80) at mcxt.c:419 #4 0x0000000001834ede in AllocSetDelete (context=0x619000003c80) at aset.c:636 #5 0x000000000184f79b in MemoryContextDeleteOnly (context=0x619000003c80) at mcxt.c:528 #6 0x000000000184f5a9 in MemoryContextDelete (context=0x619000003c80) at mcxt.c:482 #7 0x0000000001361e84 in pgstat_clear_backend_activity_snapshot () at backend_status.c:541 #8 0x0000000001367f08 in pgstat_clear_snapshot () at pgstat.c:943 #9 0x0000000001368ac3 in pgstat_prep_snapshot () at pgstat.c:1121 #10 0x00000000013680b9 in pgstat_fetch_entry (kind=6, dboid=0, objid=0) at pgstat.c:961 #11 0x000000000136dd05 in pgstat_fetch_stat_backend (procNumber=0) at pgstat_backend.c:94 #12 0x000000000136de7d in pgstat_fetch_stat_backend_by_pid (pid=3294022, bktype=0x0) at pgstat_backend.c:136 *before* we check for "beentry->st_procpid != pid". I think we can simply move the pgstat_fetch_stat_backend() call at the end of pgstat_fetch_stat_backend_by_pid(), like in the attached. With this in place the issue is fixed on my side. Thoughts? Regards, -- Bertrand Drouvot PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com
>From 1605f513ad691b463baacc00e3c305655525ea07 Mon Sep 17 00:00:00 2001 From: Bertrand Drouvot <bertranddrouvot...@gmail.com> Date: Mon, 31 Mar 2025 07:02:34 +0000 Subject: [PATCH v1] Fix heap-use-after-free in pgstat_fetch_stat_backend_by_pid() With stats_fetch_consistency set to snapshot the beentry is reset during the pgstat_fetch_stat_backend() call. So moving this call at the end of pgstat_fetch_stat_backend_by_pid(). Reported-by: Alexander Lakhin <exclus...@gmail.com> --- src/backend/utils/activity/pgstat_backend.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) 100.0% src/backend/utils/activity/ diff --git a/src/backend/utils/activity/pgstat_backend.c b/src/backend/utils/activity/pgstat_backend.c index 187c5c76e1e..ec95c302af8 100644 --- a/src/backend/utils/activity/pgstat_backend.c +++ b/src/backend/utils/activity/pgstat_backend.c @@ -133,10 +133,6 @@ pgstat_fetch_stat_backend_by_pid(int pid, BackendType *bktype) if (!pgstat_tracks_backend_bktype(beentry->st_backendType)) return NULL; - backend_stats = pgstat_fetch_stat_backend(procNumber); - if (!backend_stats) - return NULL; - /* if PID does not match, leave */ if (beentry->st_procpid != pid) return NULL; @@ -144,6 +140,10 @@ pgstat_fetch_stat_backend_by_pid(int pid, BackendType *bktype) if (bktype) *bktype = beentry->st_backendType; + backend_stats = pgstat_fetch_stat_backend(procNumber); + if (!backend_stats) + return NULL; + return backend_stats; } -- 2.34.1
